package org.joychou.controller;

import com.alibaba.fastjson.JSONObject;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.ResponseBody;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.util.Map;

/**
 * Java 1.7/1.8 no CRLF vulns (test in Java 1.7/1.8)
 *
 * @author JoyChou (joychou@joychou.org) @2018-01-03
 */
@Controller
@RequestMapping("/crlf")
public class CRLFInjection {

    @RequestMapping("/safecode")
    @ResponseBody
    public void crlf(HttpServletRequest request, HttpServletResponse response) {
        response.addHeader("test1", request.getParameter("test1"));
        response.setHeader("test2", request.getParameter("test2"));
        String author = request.getParameter("test3");
        Cookie cookie = new Cookie("test3", author);
        response.addCookie(cookie);
    }

    @RequestMapping("/safecode222")
    @ResponseBody
    public void selectCollectionList(Map<String, String> param, HttpServletResponse response) {
        // 对输入参数进行合法性验证，确保不包含恶意的SQL语句或其他攻击负载
        if (RegExpUtil.isSQLInjection(JSONObject.toJSONString(param))) {
            throw new SecurityException("Invalid input parameter");
        }

        // 继续处理业务逻辑
        String area = param.get("area");
        String termId = param.get("termId");

        // ... 其他代码逻辑 ...
        response.setHeader("test2", termId);


        // 返回结果
//        return response;
    }
}
